Removing Complexity from Cyber Security
In partnership for our May Blog Series, we have joined forces with Cyber SC! Every Wednesday, in an effort to learn more and speak more on the topic of Cyber-Security, we will be sharing a blog from their archives. As experts on the topic, we thought it would be a great opportunity and focus as we head away from COVID-19 and back to some semblance of reality. With things at a vulnerable state, the topic is more important than ever, so, we hope you enjoy! And, a huge thank you to Dominic Vogel and his team at Cyber SC for making this possible!
The following is written by the team at Cyber SC
Picture yourself in the doctor’s office waiting for your doctor to open the door. The doctor walks in, pulls out his pad of paper and says “I see that you are having issues with your health” and then immediately starts writing a prescription. You’re thinking to yourself (or maybe you say out loud) “How can you prescribe something when you haven’t even asked any questions about my symptoms? How do you know that this is the medication I need?”
THERE IS VALUE IN DEFINING THE PROBLEM
This sounds like a ridiculous scenario but it is what a lot of organizations settle for when it comes to the prescribed solutions of cyber security technology providers. Companies are getting taken advantage of by sales people who are marketing and selling their technology products. It’s not that the products are inferior but they could be inappropriate for your situation. Their advice is biased: they sell hammers so your cyber security problems become a nail like a doctor prescribing a drug without delineating your problems. How do they know that the recommended technology solution is the one you need?
Looking at it from another angle, if you are shopping for a new vehicle, do you need a seven-seater SUV for a family of three? Before any recommendations are made, the business problems must first be defined by gathering all the necessary information. Throwing security solutions on top of problems without really understanding the underlying business requirements you are attempting to address is a waste of time and money.
COMPLEXITY IS THE ENEMY OF SECURITY
It’s always process first, then technology. CIO’s are often tempted to chase the flashy lights of the latest and greatest technology. This unsustainable, solution-first approach is putting the cart before the horse. It’s always better to have an exact problem with an approximate solution than an approximate problem with an exact solution. Don’t short-change yourself by settling for an approximate understanding of your needs and problems and their implications to your operations. Taking a technology-centric point of view adds complexity to cyber security. The approach becomes: 1) Starting with a solution and then 2) Mashing in a cyber security problem the solution supposedly solves. It’s not about picking a solution and then working backwards to the problem.
Another common misconception is that cyber security is primarily reacting to threats. Although threat intelligence is an important part of managing cyber risks, if your cyber security is primarily threat-centric you are not building a very resilient architecture. Rather than just responding to the threats of the day, it’s important to look in both directions. Like a goalie in soccer or hockey who needs to know where their net is and where they are so they can protect the net, make sure that you are in position. Avoid knee jerk reactions to security threats and, instead focus on doing security correctly. Being proactively positioned will help you circumvent most cyber attacks by default. If you proactively do the basics well it will be sustainable, simple and more cost effective. To do security effectively, it needs to be simple. When you have the problem well defined, then you are able to deal with it.
COMPLEXITY CAN DESTROY FUNCTIONALITY
If you were trying to secure a sensitive area in a physical building it would require a secure door. If you put 50 locks on the door, it is indeed secure, but it has lost its functionality as a door. The purpose of cyber security is to enable business processes. When you look at specific risks in isolation, you can weaken critical business processes. You need to look at how security melds with the overall enterprise and into your important business processes. Practically speaking, when a security process is more complex and less intuitive, employees will find ways around it. It needs to be intuitive, simple and streamlined to be effective. This approach will not only be more cost effective but it will help you achieve rapid risk reduction. Simplicity in Cyber Security = Risk Resilience.
At Cyber SC, we are ‘vendor agnostic.’ This is part of our moral code and it allows us to do the right thing every time for every client. If you would like an unbiased assessment of how your cyber security compares with industry standards, we would be happy to support you.